CVE-2024-45337

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Dec 12, 2024

Summary

CVE-2024-45337 exposes a vulnerability in applications and libraries that misuse the ServerConfig.PublicKeyCallback callback during SSH authentication. The issue stems from the fact that PublicKeyCallback does not guarantee that the key offered is the one used for authentication, allowing an attacker to bypass authorization checks. Applications that make security decisions based on the key passed to PublicKeyCallback may incorrectly assume the attacker has control over the private key associated with that key. To mitigate this risk, the go.lang/x/crypto library enforces the property that the last key passed to ServerConfig.PublicKeyCallback is the key used to authenticate the connection. However, this does not prevent the use of other authentication methods, such as PasswordCallback or KeyboardInteractiveCallback, which may not use the last key passed to PublicKeyCallback for authentication. Developers are advised to use the Extensions field in the Permissions return value from authentication callbacks to record data associated with each authentication attempt, rather than relying on external state.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share